When Microsoft announced last fall that the International Organization for Standardization (ISO) had awarded Windows 2000 the highest possible grade in the Common Criteria (CC) security certification, open-source advocates downplayed the honor as insignificant and unrelated to real-world security analysis. This week, however, ISO also awarded Linux the CC security certification, and as one might expect, the open-source community greeted the announcement with cheers. There's just one catch: Linux got a lower security rating than Win2K did last year.
ISO granted Linux a "low to moderate" security rating, whereas Win2K received a "moderate to high" security rating. According to people close to the certification process, ISO tested Linux for higher security ratings but the open-source solution achieved only the "low to moderate" rating.
Further dampening the celebration is news that most Linux installations didn't receive the certification. Sponsored by a $500,000 fee that IBM paid, the certification applies only to SuSE Linux and then only when that product is installed on certain IBM hardware. Still, the certification is an important first step for Linux, which is trying to position itself as a viable alternative to Windows in various situations. Microsoft has made significant security-related improvements to Windows since the company launched its Trustworthy Computing initiative a year and a half ago.

Then, I read from one post (Atomic Bomb) that the tests do not imply security, but actually measure the depth of documentation...Quote:
No, Paul, that is incorrect. The certification provided by CC is NOT one that measures security. It simply rates a specific organization's security assurance procedures. I thoroughly understand what CC does since I have dealt with this process directly. Here is a brief quote which clearly describes what I mean:

"The Common Criteria provides four levels of assurance that are mutually recognized by the sixteen participating countries, EAL1 through EAL4. Naively, one might assume that a product certified to EAL4 is "more secure" than a product certified to EAL1, just like an "A" in a college course indicates better student performance than a "D". But the EAL1-EAL4 scale is only superficially similar to grading systems like the classic D-C-B-A report card. Each ascending level of assurance requires more product _documentation_ rather than more product _security_ per se. EAL4, in particular, requires dozens of documents that can add up to thousands of pages for even relatively simple products. Many of these documents are created solely for the CC process; they serve no other purpose. Often the highest "grades" go to the product vendor with the biggest documentation budget, independent of the real world assurance provided by the targets of evaluation (TOEs)."

If I'm not mistaken, the ISO was formed, at least in a large part, by Microsoft itself. This article was written by a M$ flunkie and posted on a M$ website. The tests were probably done in a M$ lab, and the results may be completely fabricated. That's what I think about that. :D

09-04-2003

big_k105

i was waiting to hear that response from someone. lol

09-04-2003

kriss

Its happend before, and it will happen again.

Lets just face it.

GNU/Linux is bether! :)

11-21-2003

BusterBalz

If windows is so secure???

Then why are there so many windows viruses and so few for every other OS in the world?

11-21-2003

AndroidI6

perhaps that is because there are so many kiddies out there that dont bother to try and understand anything other than M$. And because of this (and other reasons) windows is plagued with the most viruses of all operating systems combined

11-22-2003

sarumont

The viruses that plague Windex boxen are due to the lack of security in the user department as well as the many exploitable bugs. You don't see virii and such for other OSes (*nix in general) because the user system is more secure. I can't severly screw up my box unless I'm running as root...and I don't run as root. In Windows, you have privledges to do anything and everything (or you have privledges to do nothing and nothing).

11-22-2003

Giro

Quote:

Originally Posted by sarumont

The viruses that plague Windex boxen are due to the lack of security in the user department as well as the many exploitable bugs. You don't see virii and such for other OSes (*nix in general) because the user system is more secure. I can't severly screw up my box unless I'm running as root...and I don't run as root. In Windows, you have privledges to do anything and everything (or you have privledges to do nothing and nothing).

No this is incorrect. Have you ever secured windows? You have a normal user with no priviledges to do your day2day stuff. Then you have the adminstrator account which is renamed and has a good password. Then disable the guest account and some services that arnt needed. This is similar to *nix user/groups (No one but admin can access sys files, registry ect..). Also not many viruses are written for other OS's is cause windows is running on about 90% of desktops makeing it a better target. And most users of it are not computer savey (Thats why they use windows right). So yet again it does comes down to the systems admin/owner not the OS, this has been said in many posts. So stop the stupid windows bashing :wink:

11-22-2003

kriss

security through obscurity doesnt work, and windows is a perferfect example of that.. :)

11-22-2003

sarumont

Quote:

Originally Posted by Ol Man

No this is incorrect. Have you ever secured windows? You have a normal user with no priviledges to do your day2day stuff.

I've never been able to get to a normal user in Windows to be able to do what they need to do to run day to day without an administrator. I tried to set my sister up with a limited user acct. so she couldn't screw things up, but it was too limited for normal use. The big thing is that there's really no happy medium between Administrator and a "limited user."